System for and method of unconditionally secure digital signature

ABSTRACT

A digital signature system comprises a center computer and a first and second terminal devices which can communicate with each other. The center computer generates and outputs a signing-key for a signer and a verification-key for a verifier. The first terminal device accepts the signing-key, generates a digital signature for a digital data to be signed using the signing-key, and outputs the digital signature. The second terminal device accepts the verification-key, the signer&#39;s identification code (e.g. the unique code of the signer), an identification code of the digital data and the digital signature, and verifies the validity of the digital signature using the verification-key, the identification code of the digital data and the signer&#39;s identification code.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to a system for and ofunconditionally secure signature, more specifically to a digitalsignature system, a computer and a terminal device used in the digitalsignature system, a method of establishing a signing-key, averification-key and a digital signature, a method of verifying adigital signature.

[0003] 2. Description of the Background Art

[0004] In recent years, digital signatures are used as proof ofauthorship of, or at least agreement with, digital data.

[0005] While some data may only require the assurance of integrity for arelatively short period of time (say up to 5 years), some otherimportant data, such as court records and speeches by a parliamentarian,require the assurance of integrity for a long period of time (say up to50 years).

[0006] Currently, digital signature schemes based on the numbertheoretic problems are the prevalent methods used in providing dataintegrity. These schemes rely for their security on the assumedcomputational difficulty of computing certain number theoretic problems,such as factoring large composites or solving discrete logarithms in alarge finite field. Progress in computers as well as further refinementof various algorithms has made it possible to solve the number theoreticproblems of larger sizes. As an example, in August 1999, a team ofresearchers from around the world succeeded in cracking a 512-bit RSAcomposite by the use of the Number Field Sieve over the Internet. Onecan safely predict that even larger composites will be factored in thefuture.

[0007] The above discussions indicate the necessity of digital signatureschemes that provide assurance of long term integrity. In the pastdecade, several attempts by various researchers have been made toaddress the problem. However, schemes proposed by these researchers areessentially variants of authentication codes, and none of these schemeshas addressed the transferability of signatures among recipients.

[0008] Besides this, it is desired that a user's public key is based onthe identity of the user so that other users do not need to verify thevalidity of the relationship between a public key and an owner.

SUMMARY OF THE INVENTION

[0009] An object of the present invention is to realize a digitalsignature system that admits transferability, and provable securityagainst all of known attacks (impersonation, substitution, and transferwith a trap), based on no computationally hard problem.

[0010] Still further object of the present invention is to make a publickey of a user in the digital signature system be associated with theuser's unique identity, such as the user s name.

[0011] A digital signature system, according to the present invention,comprises a center computer and a first and second terminal deviceswhich can communicate with each other. The center computer generates andoutputs a signing-key to be inputted in the first terminal device, andgenerates and outputs a verification-key to be inputted in the secondterminal device. The first terminal device accepts the firstsigning-key, generates a digital signature for a digital data to besigned using the signing-key, and outputs the digital signature to beinputted in the second terminal device. The second terminal deviceinputs the verification-key, a signer's identification code (e.g. theunique code of a signer), the digital data and the digital signature,and verifies the validity of the digital signature using theverification-key, the digital data and the signer's identification code

[0012] The center computer, the first and second terminal devicescommunicate with each other through a medium including not only anetwork (inclusive of wired, wireless, satellite communication, theInternet and other public or dedicated network) but also a portablemedia such as a floppy disk, an MO disk, or the like.

[0013] Accordingly, the center computer may transmit through the networkthe signing-key to the first terminal device and may through the networktransmit the verification-key to the second terminal device. The firstterminal device may transmit through the network the digital signature,the digital data and the signer's identity (e.g. the name of the signer)to the second terminal device.

[0014] Alternatively, the signing-key which is generated in the centercomputer may be stored in a portable medium such as an FD, an MO, or thelike. The portable medium is mounted on the first terminal device, andthe signing-key is read in the first terminal device.

[0015] The verification-key which is generated in the center computermay be stored in a portable medium such as an FD, an MO, or the like.The portable medium is mounted on the second terminal device, and theverification-key is read in the second terminal device.

[0016] The digital data and the digital signature which is outputtedfrom the first terminal device may be stored in a portable medium suchas an FD, an MO, or the like. The portable medium is mounted on thesecond terminal device, and the digital data and the digital signatureare read in the second terminal device.

[0017] The signer's identification code may be transmitted from thefirst terminal device to the second terminal device. The signer'sidentity may be written on the FD on which the digital signature isrecorded. A verifier reads the signer's identity and inputs the signer'sidentification code which represents the signer's identity into thesecond terminal device.

[0018] According to the invention, since the center directly deliversthe verification-key to the verifier, differently from a conventionalconstruction of digital signature system, the verifier and the centercan make the verification-key be secret to other entities including thesigner. Hence, though in the conventional construction of digitalsignature system there exist no digital signature system withunconditional security against all known attacks (substitution attack,impersonation attack and transfer with a trap attack), by thisinvention, a digital signature system with unconditional securityagainst all known attacks can be realized, as described later.

[0019] A center computer, according to the present invention, comprisesfirst generating means for generating a signing-key for a signer (whichis to be inputted in the first terminal device), second generating meansfor generating a verification-key for a verifier (which is to beinputted in the second terminal device), a first output deviceoutputting the signing-key generated by the first generating means and asecond output device outputting the verification-key generated by thesecond generating means.

[0020] According to this invention, the above digital signature systemcan be constructed using the center computer.

[0021] A first terminal device, according to the present invention,comprises an accepting means for accepting a signing-key, a first inputdevice inputting the signing-key, a second input device inputting anidentification code of a digital data, a generating means for generatinga digital signature and an output device outputting a digital signature.

[0022] As the identification code of the digital data, the digital dataitself, a hashed value of the digital data using a hash function or thelike can be used.

[0023] According to this invention, the above digital signature systemcan be constructed using the first terminal device.

[0024] A second terminal device, according to the present invention,comprises a first accepting means for a verification-key, a first inputdevice inputting a verification-key, a second accepting means for adigital signature, a second input device inputting the digitalsignature, a third accepting means for a digital data, a third inputdevice inputting the identification code of the digital data. A fourthaccepting means for a signer's identity, a fourth input device inputtingthe signer's identification code and a verifying means for verifying thevalidity of the digital signature using the verification-key, thesigner's identification code and the identification code of the digitaldata.

[0025] According to this invention, the above digital signature systemcan be constructed using the second terminal.

[0026] In a center computer, a method of establishing a signing-key anda verification-key according to the present invention comprises thesteps of: generating a first multivariate function, generating a secondmultivariate function obtained by substituting a signer's identificationcode into a first variable of the first multivariate function,outputting the second multivariate function as a signing-key for thesigner, generating a random number, a third multivariate functionobtained by substituting the random number to a second variable of thefirst multivariate function, and outputting the random number and thethird multivariate function as a verification-key for the verifier.

[0027] According to this invention, the above method is not always basedon a computationally hard problem so that a digital signature system canbe constructed with unconditional security.

[0028] After establishing a signing-key and a verification-key accordingto the present invention, the signing-key is distributed to the signer,and the verification-key is distributed to the verifier.

[0029] When the signer wants to generate a digital signature in thefirst terminal device, a method of establishing a digital signatureaccording to the present invention comprises the steps: generating afourth multivariate function obtained by substituting an identificationcode of the digital data into the third variable of the secondmultivariate function, and outputting the fourth multivariate functionas a digital signature.

[0030] According to this invention, the above method is not always basedon a computationally hard problem so that a digital signature system canbe constructed with unconditional security.

[0031] When the verifier accepts the digital signature in the secondterminal device, the validity of the digital signature is verified usinga method which is according to the present invention comprising thesteps of: generating a first evaluation value by substituting the randomnumber into the second variable of the fourth multivariate function,generating a second value by substituting the signer's identificationcode and the identification code of the digital data into the first andthird variables of the third multivariate function, respectively, andaccepting the digital signature as valid if both of the first and secondevaluation values equal, and otherwise rejecting the digital signatureas invalid.

[0032] According to this invention, the above method is not always basedon a computationally hard problem so that a digital signature system canbe constructed with unconditional security. Furthermore, according tothis invention, since the signer's identification code is used as apublic key of the signer, the verifier does not need to verify thevalidity of the public key of the signer.

[0033] Although the methods of: establishing a signing-key and averification-key by the center computer; establishing a digitalsignature by the first terminal device; and verifying the validity ofthe digital signature by the second terminal device are presented in theabove, computers readable recording medium having a program recordedthereon, the program controlling computers so as to execute the sameprocedures as described above may also be utilized.

[0034] More explicit construction of a digital signature system withunconditional security is described in the embodiment by usingmultivariate polynomials over a finite field as the multivariatefunctions in the above construction method.

[0035] A multivariate polynomial over a finite field is used for thefirst, second, third and fourth multivariate function according to theabove methods of establishing a signing-key, a verification-key and adigital signature.

[0036] According to the present invention, since the method forconstructing a digital signature system is based on the randomness ofmultivariate polynomials over a finite field, a digital signature systemwhich is based on no computationally hard problem can be realized.

[0037] A multivariate polynomial is generated uniformly at random fromthe finite field for generating the first multivariate function,according the above method in which a multivariate polynomial over afinite field is used for the first multivariate function.

[0038] According to the present invention, since the randomness ofmultivariate polynomials over a finite field can be significantlyenhanced, the security of a digital signature system can be alsoenhanced.

[0039] The maximum degree of the first variable in the multivariatepolynomial over the finite field is taken more than or equal to n−1,where n is the number of signers, according to the above method in whicha multivariate polynomial is generated uniformly at random from thefinite field for generating the first multivariate function.

[0040] According to the present invention, by an information theoreticanalysis, a digital signature system with unconditional security whichallows n signers to generate signatures can be realized.

[0041] The number of variables of the second group of variables in themultivariate polynomial over the finite field is taken more than orequal to a pre-defined number of colluders among verifiers, according tothe above method in which a multivariate polynomial is generateduniformly at random from the finite field for generating the firstmultivariate function.

[0042] According to the present invention, by an information theoreticanalysis, a digital signature system with unconditional security whichis secure even if there exists the pre-defined number of colluders amongverifiers.

[0043] The maximum degree of the third variable in the multivariatepolynomial over the finite field is taken more than or equal to apre-defined number up to which each signer is allowed to generatedigital signatures, according to the above method in which amultivariate polynomial uniformly at random from the finite field forgenerating the first multivariate function.

[0044] According to the present invention, by an information theoreticanalysis, a digital signature system with unconditional security whichallows each signer to generate up to the pre-defined number of digitalsignatures.

[0045] A compressed data or an encoded data of a digital data by a hashfunction is used for an identification code of a digital signatureaccording the above digital signature system.

[0046] According to this invention, since an identification code of anydigital data can be represented by an element of a finite field which isused for the digital signature system, a signer can generate a signaturefor any digital data. However, in this case, the security of the digitalsignature system is based on the underlying hash function.

[0047] The foregoing and other objects, features, aspects and advantagesof the present invention will become more apparent from the followingdetailed description of the present invention when taken in conjunctionwith the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0048]FIG. 1 illustrates the overall configuration of a digitalsignature system according to an embodiment;

[0049]FIG. 2 illustrates a center computer, a first terminal device anda second terminal device from the viewpoint of generating a signing-keywith respect to the center computer, from the viewpoint of generating averification-key with respect to the center computer, from the viewpointof generating a digital signature with respect to the first terminaldevice and from the viewpoint of verifying a digital signature withrespect to the second terminal device;

[0050]FIGS. 3 and 4 illustrate flow charts showing the flow ofprocessing of the generation of the signing-key si in the centercomputer. FIG. 3 shows an outline of a signing-key generation program(1), and FIG. 4 shows an outline of the signing-key generation program(2);

[0051]FIG. 5 illustrates a flow chart showing the flow of processing ofthe generation of the verification-key vi in the center computer;

[0052]FIG. 6 illustrates a flow chart showing the flow of processing ofthe generation of a digital signature in the first terminal device; and

[0053]FIG. 7 illustrates a flow chart showing the flow of processing ofthe verification of the digital signature in the second terminal device.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0054] A digital signature system is a system in which a user generatesdigital signatures for any types of digital data (digital image, digitaldocument, digital sound), and a user determines who generated a digitalsignature.

[0055] In the digital signature system according to the presentembodiment, a center is set up, and a user, who wants to generate orverify a digital signature in the digital signature system, requests thecenter to issue a qualification that allows the user to generate orverify a signature, respectively. A user, who has qualification thatallows the user to generate a digital signature, is called a signer. Auser, who has qualification that allows the user to verify a digitalsignature, is called a verifier. A user can be given a qualification touse the digital signature system if the user is identified, for example,by showing the user's identification card. In the digital signaturesystem, each signer has an identification code which is an element of afinite field GF(q) with q elements. Each user's identification code ispublicly known to all other users.

[0056]FIG. 1 illustrates the configuration of a digital signature systemaccording to the first embodiment.

[0057] The digital signature system includes a center computer 10, aplurality of first terminal devices 20 and a plurality of secondterminal devices, which can be communicate with each other through amedium including not only a network (inclusive of wired, wireless,satellite communication, the Internet and other public or dedicatednetwork) but also a portable media such as a floppy disk, an MO disk, orthe like. In the present embodiment, the center computer shall be underthe management of a center. The first terminal device shall be under themanagement of a signer who generates a signature in the digitalsignature system. The second terminal device shall be under themanagement of a verifier who verifies a signature in the digitalsignature system. One terminal device 20 and one terminal device 30 areillustrated for convenience.

[0058] The center computer 10 has a signing-key generation program(including a signing-key generation program (1) shown in FIG. 3 and asigning-key generation program (2) shown in FIG. 4) and averification-key generation program (including a verification-keygeneration program shown in FIG. 5) installed therein. The centercomputer 10 includes, of course, an input device such as a keyboard, amouse and so on, and output device such as a display device, a storagedevice (a semiconductor memory, a hard disk, or the like), and acommunication device.

[0059] The first terminal device 20 and the second terminal device 30are also realized by a computer, e.g. a personal computer. The firstterminal device 20 has a signature generation program (including asignature generation program shown in FIG. 6), and the second terminaldevice 30 has a verification program (including a verification programshown in FIG. 7). The terminal devices 20 and 30 include an input devicesuch as a keyboard, a mouse and so on, and output device such as adisplay device, a storage device (a semiconductor memory, a hard disk),and a communication device.

[0060] With reference to FIG. 2, in the center computer 10, a firstmultivariate function F(x, y1, . . . , yω, z), described later, isgenerated, where x is a first variable, (y1, . . . , yω) is a secondvariable and z is a third variable. For each of signers i (i=1, . . . ,n), a second multivariate function, described later, is generated as aninherent signing-key si in the center computer 10 using the firstmultivariate function F(x, y1, . . . , yω, z) and the signer'sidentification code ui. Further, by using the first multivariatefunction F(x, y1, . . . , yω, z) and a random number (vj1, . . . , vjω),for each of verifiers j (j=1, . . . , n), a third multivariate functionand the random number (vj1, . . . , vjω) are generated as an inherentverification-key vj, described later, in the center computer 10.

[0061] The signing-keys si are distributed, respectively, to the signeri. The verification-keys vj are distributed, respectively, to theverifier j. The signing-key si and verification-key vj are delivered tothe signer i and the verifier j, respectively, by a secure channel, forexample, such as mail (mailing a floppy disk having the signing-key siand verification-key vi recorded thereon, etc.), in writing (a letter, afacsimile, etc.), or the like.

[0062] The first terminal device 20 reads the signing-key si and anidentification code m of a digital data M for which the signer wants tosign, and outputs a digital signature diM, as described later. As theidentification code m of the digital data M, the digital data M itself,a hashed value of the digital data M using a hash function or the likecan be used.

[0063] The signer i sends the signer i's identity, the digital data Mand the digital signature diM to a verifier though a medium includingnot only a network (inclusive of wired, wireless satelite communication,the Internet and other public or dedicated network) but also a portablemedia such as a floppy disk, an MO disk, or the like.

[0064] On receiving the signer i's identity, the digital data M and thedigital signature diM, the verification-key vj, the signer i'sidentification code ui, the identification code m of the digital data Mand the digital signature diM are inputted to the second terminal device30 which is controlled by a verifier j, who wants to determine thevalidity of the digital signature diM, and the second terminal device 30calculates a first evaluation value kijM, which is calculated from thedigital signature diM and the random number (vj1, . . . , vjω), and asecond evaluation value k′ijM, which is calculated from the signer i'sidentification code ui, the identification code m of the digital data Mand the third multivariate function. If the first evaluation value kijMis equal to the second evaluation value k′ijM, the digital signature diMis accepted as a valid digital signature. A verifier, who receives thesigner i's identity, the identification code m of the digital data M andthe digital signature diM, may further transfer the signer i's identity,the identification code m of the digital data M and the digitalsignature diM to another verifier though a medium including not only anetwork (inclusive of wired, wireless, satellite communication, theInternet and other public or dedicated network) but also a portablemedia such as a floppy disk, an MO disk, or the like.

[0065]FIGS. 3 and 4 illustrate flow charts showing the flow ofprocessing of the generation of the signing-key si. FIG. 3 shows andoutline of a signing-key generation program (1), and FIG. 4 shows anoutline of the signing-key generation program (2).

[0066] With reference to FIG. 3, description is first made of the flowof generating the first multivariate function F(x, y1, . . . , yω, z) inthe center computer 10. The center computer 10 generates a plurality ofrandom numbers a_fgh (f=0, . . . , n−1, g=0, . . . , ω, h=0, . . . , ψ)over a finite field GF(q) with q elements, where n is the total numberof signers, ω is the maximum number of colluders (bad users who try toforge a digital signature illegally) among all verifiers, and ψ is themaximum number of signatures which are allowed to generate per a signer.As an example, a random number generator program can be used for thegeneration of a_fgh (f=0, . . . , n−1, g=0, . . . , ω, h=0, . . . , ψ).By using a_fgh (f=0, . . . , n−1, g=0, . . . , ω, h=0, . . . , ψ) ascoefficients, the first multivariate function F(x, y1, . . . , yω, z)can be generated to be the following polynomial over the finite fieldGF(q): $\begin{matrix}{{F\left( {x,{y1},\cdots \quad,{y\quad \omega},z} \right)} = {{\sum\limits_{f = 0}^{n - 1}{\sum\limits_{h = 0}^{\psi}a}} - {{foh}\quad x^{f}z^{h}} + {\sum\limits_{f = 0}^{n - 1}{\sum\limits_{g = 1}^{\omega}{\sum\limits_{h = 0}^{\psi}a}}} - {{fgh}\quad x^{f}y_{g}{z^{h}.}}}} & \left( {{step}\quad 31} \right)\end{matrix}$

[0067] The first multivariate function F(x, y1, . . . , yω, z) is storedin the storage device in the center computer 10 (step 32).

[0068] With reference to FIG. 4, description is now made of generatingthe signing-key si. The center computer 10 reads the signer i'sidentification code and the first multivariate function F(x, y1, . . . ,yω, z) which is stored in the storage device in the center computer 10(step 41). The center computer 10, next, substitutes the first variablex=the identification code ui into the function F(x, y1, . . . , yω, z)to obtain the second multivariate function F(ui, y1, . . . , yω, z)which is the signing-key si and, then, outputs the signing-key si (step42).

[0069]FIG. 5 illustrates a flow chart showing the flow of processing ofthe generation of the verification-key vi in the center computer.

[0070] Firstly, the center computer 10 generate a random number (vi1, .. . , viω) uniformly at random from a finite field GF(q)^(ω) with q^(ω)elements (each of vi1, . . . , viω is an element of GF(q).) (step 51).

[0071] Next, the center computer 10 reads the first multivariatefunction F(x, y1, . . . , yω, z) from the storage device in the centercomputer 10 (step 52), and substitutes the second variable (y1, . . . ,yω)=the random number (vi1, . . . , viω) into the first multivariatefunction F(x, y1, . . . , yω, z) to obtain the third multivariatefunction F(x, vi1, . . . , viω, z) and (vi1, . . . , viω) which are theverification-key vi and, then, outputs the verification-key vi (step53).

[0072]FIG. 6 illustrates a flow chart showing the flow of processing ofthe generation of a digital signature diM in the first terminal device20.

[0073] The first terminal device 20 reads the identification code m ofthe identification code m of digital data M, for which the user i wantsto sign, and the signing-key si (from a storage device or an FD, forexample) (step 61).

[0074] In the digital signature system, the identification code m of thedigital data M to be signed is represented to be an element of GF(q). Inthe digital signature system, as the identification code m of thedigital data M, the digital data M itself is used if possible. If a sizeof a data is too large to be represented to be an element of GF(q), theuser may use a hash function to compress the data to be an element ofGF(q) to use the hashed value as the data to be signed.

[0075] The first terminal device 20, next, substitutes the thirdvariable z=the identification code m of digital data M into thesigning-key si to obtain the fourth multivariate function F(ui, y1, . .. , yω, m) which is the digital signature diM and, then output thedigital signature diM (step 62).

[0076]FIG. 7 illustrates a flow chart showing the flow of processing ofthe verification of the digital signature diM in the second terminaldevice 30.

[0077] The second terminal device 30, first, reads the signer i'sidentification code, the identification code m of digital data M, thedigital signature diM, and the verification-key vj (=F(x, vj1, . . . ,vjω, z) and (vj1, . . . , vjω)) (from a storage device or an FD, forexample) (step 71). The second terminal device 30, next, substitutes thefirst variable x=the user i's identification code ui and the thirdvariable z=the identification code m of digital data M into the thirdmultivariate function F(x, vj1, . . . , vjω, z) to obtain the firstevaluation value kijM:=F(ui, vj1, . . . , vjω, m) (step 72).

[0078] Further, the second terminal device 30 substitutes the secondvariable (y1, . . . , yω)=the random number (vj1, . . . , vjω) into thedigital signature diM, to obtain the second evaluation valuek′ijM:=F(ui, vj1, . . . , vjω, m) (step 73).

[0079] The second terminal device 30 compares the first evaluation valuekijM with the second evaluation value k′ijM (step 74). If the firstevaluation value kijM is equal to the second evaluation value k′ijM, thesecond terminal device outputs a verification result that indicates thatthe digital signature diM was signed by the signer i for theidentification code m of digital data M (step 75), otherwise the secondterminal device outputs another verification result that the digitalsignature diM was not signed by the signer i for the digital data (step76).

[0080] As an application of the present embodiment, a digital signaturesystem can be used for identification of a credit-card holder in on-lineshopping using a credit card on the Internet. In on-line shopping usinga credit card, a credit-card holder who wants to buy a goods from a shopneeds to show an electronic proof which indicates that the credit-cardholder wants to buy the goods from the shop. In order to fulfill thisrequirement, a credit-card company operates the center, and issues aninherent signing-key for each credit-card holder, as a signer, and aninherent verification-key for each shop keeper, as a verifier. Then, ina first terminal device which is located in the home of the credit-cardholder, the credit-card holder generates a digital signature for adigital document which indicates the content of a payment (a credit-cardnumber, an identification code of the goods, the number of the goods,etc.) using the credit-card holder's signing-key and transmits the nameof the credit-card holder, the digital signature and the digitaldocument to the shop through the Internet. On receiving the name of thecredit-card holder the digital signature and the digital document, in asecond terminal device which is located in the shop, the shop keeperverifies the validity of the digital signature using the shop'sverification-key, the credit-card holder's identification code, thedigital data. By the digital signature, the shop can determine if thedigital document was generated by the credit-card holder or not. Inpresent application, unforgeability of the digital signature can berealized based on no computationally hard problem, or based on thesecurity of the underlying hash function to compress the digitaldocument.

What is claimed is:
 1. A digital signature system comprising a centercomputer and a first and second terminal devices which can communicatewith each other, wherein: the center computer generates and outputs asigning-key to be inputted in the first terminal device, and generatesand outputs a verification-key to be inputted in the second terminaldevice; the first terminal device accepts the signing-key, generates adigital signature for a digital data to be signed using the signing-key,and outputs the digital signature to be inputted in the second terminaldevice; and the second terminal device accepts the verification-key, thesigner's identity, the identification code of the digital data and thedigital signature, and verifies the validity of the digital signatureusing the verification-key, the signer's identification code and theidentification code of the digital data.
 2. The digital signature systemaccording to claim 1, wherein the center computer comprises: a firstgenerating means for generating the signing-key for the signer; a secondgenerating means for generating the verification-key for the verifier; afirst output device outputting the signing-key generated by the firstgenerating means; and a second output device outputting theverification-key generated by the second generating means.
 3. Thedigital signature system according to claim 1, wherein the firstterminal device capable of communicating with the center comprises: anaccepting means for accepting the signer's signing-key; a first inputdevice inputting the signer's signing-key; a second input deviceinputting the identification code of the digital data; a thirdgenerating means for generating the digital signature; and a thirdoutput device outputting the digital signature generated by thegenerating means.
 4. The digital signature system according to claim 1,wherein the second terminal device capable of communicating with thecenter comprises: a first accepting means for the verification-key; athird input device inputting the verifier's verification-key; a secondaccepting means for accepting the signer's identity; a fourth inputdevice inputting the signer's identification code; a third acceptingmeans for the identification code of the digital data; a fifth inputdevice inputting the identification code of the digital data; a fourthaccepting means for accepting the digital signature; a sixth inputdevice inputting the digital signature; a verifying means for verifyingthe validity of the digital signature using the verification-key, thesigner's identification code and the identification code of the digitaldata; and a fourth output device outputting the result of verifying thevalidity of the digital signature, namely, acceptable as valid or not.5. A method, in a digital signature system comprising a center computerand a first and second terminal devices which can communicate with eachother, comprising the steps of: in the center computer, generating andoutputting a signing-key to be inputted in the first terminal device,and generating and outputting a verification-key to be inputted in thesecond terminal device; in the first terminal device, inputting thesigning-key, generating a digital signature for a digital data to besigned using the signing-key, and outputting the digital signature to beinputted in the second terminal device; and in the second terminaldevice, inputting the verification-key, the signer's identificationcode, the identification code of the digital data and the digitalsignature, and verifying the validity of the digital signature using theverification-key, the signer's identification code and theidentification code of the digital data.
 6. The method according toclaim 5 further comprising the steps of: in the center computer,generating the signing-key for the signer; generating theverification-key for the verifier; outputting the generated signing-key;and outputting the generated verification-key.
 7. The method accordingto claim 5 further comprising the steps of: in the first terminaldevice, inputting the signer's signing-key; inputting the identificationcode of the digital data; generating the digital signature; andoutputting the generated digital signature.
 8. The method according toclaim 5 further comprising the steps of: in the second terminal device,inputting the verifier's verification-key; inputting the signer'sidentification code; inputting the identification code of the digitaldata; inputting the digital signature; outputting the result ofverifying the validity of the digital signature, namely, acceptable asvalid or not.
 9. A computer readable recording medium having a first,second and third programs recorded thereon, the first programcontrolling a center computer so as to generate and output a signing-keyto be inputted in a first terminal device, to generate and output averification-key to be inputted in a second terminal device; the secondprogram controlling the first terminal device so as to accept thesigning-key, to generate a digital signature for a digital data to besigned using the signing-key, and to output the digital signature to beinputted in the second terminal device; and the third programcontrolling the second terminal device so as to accept theverification-key, the signer's identity, the identification code of thedigital data and the digital signature, and to verify the validity ofthe digital signature using the verification-key, the signer'sidentification code and the identification code of the digital data. 10.The computer readable recording medium according to claim 9, wherein thefirst program controls the center computer so as to: generate thesigning-key for the signer; generate the verification-key for theverifier; output the generated signing-key; and output the generatedverification-key.
 11. The computer readable recording medium accordingto claim 9, wherein the second program controls the first terminaldevice so as to: accept the signer's signing-key; input the signer'ssigning-key; input the identification code of the digital data; generatethe digital signature; and output the generated digital signature. 12.The computer readable recording medium according to claim 9, wherein thethird program controls the second terminal device so as to: accept theverification-key; input the verifier's verification-key; accept thesigner's identity; input the signer's identification code; accept theidentification code of the digital data; input the identification codeof the digital data; accept the digital signature; input the digitalsignature; verify the validity of the digital signature using theverification-key, the signer's identification code and theidentification code of the digital data; and output the result ofverifying the validity of the digital signature, namely, acceptable asvalid or not.
 13. A center computer in a digital signature systemcomprising: a first generating means for generating a signing-key for asigner; a second generating means for generating a verification-key fora verifier; a first output device outputting the signing-key generatedby the first generating means; and a second output device outputting theverification-key generated by the second generating means.
 14. Thecenter computer, according to claim 13, wherein: the first generatingmeans comprises means for generating a first multivariate function, andmeans for generating a second multivariate function obtained bysubstituting the signer's identification code into a first variable ofthe first multivariate function; the first output device outputs thesecond multivariate function as the signing-key for the signer; thesecond generating means comprises means for generating a random number,a third multivariate function obtained by substituting the random numberto a second variable of the first multivariate function; and the secondoutput device outputs the random number and the third multivariatefunction as the verification-key for the verifier.
 15. The centercomputer according to claim 14, wherein: the second multivariatefunction is generated by substituting the signer's identification codeinto a first group of variables of the first multivariate function. 16.The center computer according to claim 14, wherein: a group of randomnumbers is generated and the third multivariate function is generated bysubstituting the group of random numbers into a second group ofvariables of the first multivariate function; and the group of randomnumbers and the third multivariate function are outputted as theverification-key for the verifier.
 17. A method of establishing asigning-key for a signer and a verification-key for a verifiercomprising the steps of: generating a first multivariate function;generating a second multivariate function obtained by substituting thesigner's identification code into a first variable of the firstmultivariate function; outputting the second multivariate function as asigning-key for the signer; generating a random number, a thirdmultivariate function obtained by substituting the random number into asecond variable of the first multivariate function; and outputting therandom number and the third multivariate function as a verification-keyfor the verifier.
 18. The method of establishing a signing-key accordingto claim 17, wherein: the second multivariate function is generated bysubstituting the signer's identification code into a first group ofvariables of the first multivariate function; and the secondmultivariate function is outputted as a signing-key for the signer. 19.The method of establishing a verification-key according to claim 17,wherein: a group of random numbers is generated and the thirdmultivariate function is generated by substituting the group of randomnumbers into a second group of variables of the first multivariatefunction; and the group of random numbers and the third multivariatefunction are outputted as a verification-key for the verifier.
 20. Acomputer readable recording medium having a program recorded thereon,the program controlling the computer so as to: generate a firstmultivariate function; generate a second multivariate function obtainedby substituting a signer's identification code into a first variable ofthe first multivariate function; output the second multivariate functionas a signing-key for the signer; generate a random number, a thirdmultivariate function obtained by substituting the random number to asecond variable of the first multivariate function; and output therandom number and the third multivariate function as a verification-keyfor the verifier.
 21. The computer readable recording medium accordingto claim 20, wherein the program controls the computer so as to:generate the second multivariate function by substituting the signer'sidentification code into a first group of variables of the firstmultivariate function; and output the second multivariate function as asigning-key for the signer.
 22. The computer readable recording mediumaccording to claim 20, wherein the program controls the computer so asto: generate a group of random numbers and generate a third multivariatefunction by substituting the group of random numbers into a second groupof variables of the first multivariate function; and output the group ofrandom numbers and the third multivariate function as a verification-keyfor the verifier.
 23. A method of establishing a digital signature in adigital signature system comprising a center computer and a first andsecond terminal devices which can communicate with each other,comprising the steps of: in the center computer, generating a firstmultivariate function, generating a second multivariate functionobtained by substituting a signer's identification code into a firstvariable of the first multivariate function, outputting the secondmultivariate function as a signing-key for the signer, generating arandom number, a third multivariate function obtained by substitutingthe random number into a second variable of the first multivariatefunction, and outputting the random number and the third multivariatefunction as a verification-key for a verifier; in the first terminaldevice, accepting the signer's signing-key; inputting the acceptedsigner's signing-key; inputting an identification code of a digitaldata; generating a fourth multivariate function obtained by substitutingthe identification code of the digital data into the third variable ofthe second multivariate function, and outputting the fourth multivariatefunction as a digital signature; in the second terminal device,accepting the verification-key, inputting the accepted verifier'sverification-key, accepting the signer's identity, inputting thesigner's identification code, accepting the identification code of thedigital data, inputting the accepted identification code of the digitaldata, accepting the digital signature, inputting the accepted digitalsignature, generating a first evaluation value by substituting therandom number into the second variable of the fourth multivariatefunction, generating a second evaluation value by substituting thesigner's identification code and the identification code of the digitaldata into the first and third variables of the third multivariatefunction, respectively, and accepting the digital signature as valid ifboth of the first and second evaluation values equal, and otherwiserejecting the digital signature as invalid.
 24. A first terminal devicein a digital signature system comprising: an accepting means foraccepting a signer's signing-key; a first input device inputting thesigner's signing-key; a second input device inputting an identificationcode of a digital data; a generating means for generating a digitalsignature; and an output device outputting the digital signaturegenerated by the generating means.
 25. The first terminal deviceaccording to claims 24, wherein: the digital signature generating meansgenerates a fourth multivariate function obtained by substituting anidentification code of a digital data into a third variable of a secondmultivariate function; and the output device outputs the fourthmultivariate function as the digital signature.
 26. The first terminaldevice according to claim 25, wherein: the digital signature generatingmeans generates a fourth multivariate function by substituting anidentification code of a digital data into a third group of variables ofa second multivariate function; and the output device outputs the fourthmultivariate function as the digital signature.
 27. A method ofestablishing a digital signature comprising the steps of: accepting asigner's signing-key; inputting the accepted signer's signing-key;inputting an identification code of a digital data; generating a fourthmultivariate function obtained by substituting the identification codeof the digital data into a third variable of a second multivariatefunction; and outputting the fourth multivariate function as a digitalsignature.
 28. The method of establishing a digital signature accordingto claim 27, wherein: a fourth multivariate function is generated bysubstituting an identification code of a digital data into a third groupof variables of a second multivariate function; and the fourthmultivariate function is outputted as a digital signature.
 29. Acomputer readable recording medium having a program recorded thereon,the program controlling a computer so as to: accept an inputted signer'ssigning-key; accept an inputted identification code of a digital data;generate a fourth multivariate function obtained by substituting theidentification code of the digital data into a third variable of asecond multivariate function; and output the fourth multivariatefunction as a digital signature.
 30. The computer readable recordingmedium according to claim 29, wherein the program controls the computerso as to: generate a fourth multivariate function by substituting anidentification code of a digital data into a third group of variables ofa second multivariate function; and output the fourth multivariatefunction as a digital signature.
 31. A second terminal device in adigital signature system comprising: a first accepting means foraccepting a verification-key; a first input device inputting theverifier's verification-key; a second accepting means for accepting asigner's identity; a second input device inputting the signer'sidentification code; a third accepting means for an identification codeof a digital data; a third input device inputting the identificationcode of the digital data; a fourth accepting means for accepting adigital signature; a fourth input device inputting the digitalsignature; a verifying means for verifying the validity of the digitalsignature using the verification-key, the signer's identification codeand the identification code of the digital data; an output deviceoutputting the result of verifying the validity of the digitalsignature, namely, acceptable as valid or not.
 32. The second terminaldevice according to claim 31, wherein the verifying means for verifyingthe validity of the digital signature: generates a first evaluationvalue by substituting a random number into a second variable of a fourthmultivariate function; generates a second evaluation value bysubstituting the signer's identification code and the identificationcode of the digital data into a first and third variables of a thirdmultivariate function, respectively; and accepts the digital signatureas valid if both of the first and second evaluation values equal, andotherwise rejects the digital signature as invalid.
 33. The secondterminal device according to claim 32, wherein a first evaluation valueis generated by substituting a group of random numbers into a secondgroup of variables of the fourth multivariate function.
 34. The secondterminal device according to claim 32, wherein the signer'sidentification code is substituted into a first group of variables ofthe third multivariate function, or the identification code of thedigital data is substituted into a third group of variables of the thirdmultivariate function.
 35. A method of verifying the validity of adigital signature comprising the steps of: accepting a verifier'sverification-key; inputting the accepted verification-key; accepting asigner's identity; inputting the signer's identification code; acceptingan identification code of a digital data; inputting the identificationcode of the digital data; accepting a digital signature; inputting thedigital signature; generating a first evaluation value by substituting arandom number into a second variable of a fourth multivariate function;generating a second evaluation value by substituting the signer'sidentification code and the identification code of the digital data intoa first and third variables of a third multivariate function,respectively; and accepting the digital signature as valid if both ofthe first and second evaluation values equal, and otherwise rejectingthe digital signature as invalid.
 36. The method of verifying thevalidity of a digital signature according to claim 35, wherein a firstevaluation value is generated by substituting a group of random numbersinto a second group of variables of the fourth multivariate function.37. The method of verifying the validity of a digital signatureaccording to claim 35, wherein the signer's identification code issubstituted into a first group of variables of the third multivariatefunction, or the identification code of the digital data is substitutedinto a third group of variables of the third multivariate function. 38.A computer readable recording medium having a program recorded thereon,the program controlling the computer so as to: accept an inputtedverifier's verification-key; accept an inputted signer's identificationcode; accept an inputted identification code of a digital data; acceptan inputted digital signature; generate a first evaluation value bysubstituting a random number into a second variable of a fourthmultivariate function; generate a second evaluation value bysubstituting the signer's identification code and the identificationcode of the digital data into a first and third variables of a thirdmultivariate function, respectively; and accept the digital signature asvalid if both of the first and second evaluation values equal, andotherwise reject the digital signature as invalid.
 39. The computerreadable recording medium according to claim 38, wherein the programcontrols the computer so as to generate a first evaluation value bysubstituting a group of random numbers into a second group of variablesof the fourth multivariate function.
 40. The computer readable recordingmedium according to claim 38, wherein the program controls the computerso as to substitute the signer's identification code into a first groupof variables of the third multivariate function, or substitute theidentification code of the digital data into a third group of variablesof the third multivariate function.
 41. The center computer, accordingto claim 14, in which a multivariate polynomial over a finite field isused for a multivariate function.
 42. The method according to claim 17,in which a multivariate polynomial over a finite field is used for amultivariate function.
 43. The computer readable recording mediumaccording to claim 20, in which a multivariate polynomial over a finitefield is used for a multivariate function.
 44. The first terminaldevice, according to claim 25, in which a multivariate polynomial over afinite field is used for a multivariate function.
 45. The methodaccording to claim 27, in which a multivariate polynomial over a finitefield is used for a multivariate function.
 46. The computer readablerecording medium according to claim 29, in which a multivariatepolynomial over a finite field is used for a multivariate function. 47.The second terminal device, according to claim 32, in which amultivariate polynomial over a finite field is used for a multivariatefunction.
 48. The method according to claim 35, in which a multivariatepolynomial over a finite field is used for a multivariate function. 49.The computer readable recording medium according to claim 38, in which amultivariate polynomial over a finite field is used for a multivariatefunction.
 50. The center computer according to claim 41, in thegenerating means for the first multivariate function, a multivariatepolynomial over a finite field is selected uniformly at random byselecting each coefficient of the polynomial uniformly at random fromthe finite field.
 51. The method according to claim 42, in which amultivariate polynomial over a finite field is selected uniformly atrandom by selecting each coefficient of the polynomial uniformly atrandom from the finite field.
 52. The computer readable recording mediumaccording to claim 43, in which a multivariate polynomial over a finitefield is selected uniformly at random by selecting each coefficient ofthe polynomial uniformly at random from the finite field.
 53. The centercomputer according to claim 41, in which a maximum degree of the firstvariable in the multivariate polynomial is taken more than or equal ton−1, where n is the number of signers.
 54. The method according to claim42, in which a maximum degree of the first variable in the multivariatepolynomial is taken more than or equal to n−1, where n is the number ofsigners.
 55. The computer readable recording medium according to claim43, in which a maximum degree of the first variable in the multivariatepolynomial is taken more than or equal to n−1, where n is the number ofsigners.
 56. The center computer according to claim 41, in which thenumber of the second variable in the multivariate polynomial is takenmore than or equal to a pre-defined number of colluders among verifiers.57. The method according to claim 42, in which the number of the secondvariable in the multivariate polynomial is taken more than or equal to apre-defined number of colluders among verifiers.
 58. The mediumaccording to claim 43, in which the number of the second variable in themultivariate polynomial is taken more than or equal to a pre-definednumber of colluders among verifiers.
 59. The center computer accordingto claim 41, in which a maximum degree of the third variable in themultivariate polynomial is taken more than or equal to a pre-definednumber up to which each signer is allowed to generate digitalsignatures.
 60. The method according to claim 42, in which a maximumdegree of the third variable in the multivariate polynomial is takenmore than or equal to a pre-defined number up to which each signer isallowed to generate digital signatures.
 61. The medium according toclaim 43, in which a maximum degree of the third variable in themultivariate polynomial is taken more than or equal to a pre-definednumber up to which each signer is allowed to generate digitalsignatures.
 62. The system according to claim 1, in which theidentification code of a digital data is a compressed data or an encodeddata of a digital data by a hash function.
 63. The method according toclaim 5, in which the identification code of a digital data is acompressed data or an encoded data of a digital data by a hash function.64. The medium according to claim 9, in which the identification code ofa digital data is a compressed data or an encoded data of a digital databy a hash function.
 65. The first terminal device according to claim 24,in which the identification code of a digital data is a compressed dataor an encoded data of a digital data by a hash function.
 66. The methodaccording to claim 27, in which the identification code of a digitaldata is a compressed data or an encoded data of a digital data by a hashfunction.
 67. The computer readable medium according to claim 29, inwhich the identification code of a digital data is a compressed data oran encoded data of a digital data by a hash function.
 68. The secondterminal device according to claim 31, in which the identification codeof a digital data is a compressed data or an encoded data of a digitaldata by a hash function.
 69. The method according to claim 35, in whichthe identification code of a digital data is a compressed data or anencoded data of a digital data by a hash function.
 70. The computerreadable recording medium according to claim 38, in which theidentification code of a digital data is a compressed data or an encodeddata of a digital data by a hash function.
 71. The first terminal deviceaccording to claim 44, in which a maximum degree of the third variablein the multivariate polynomial over a finite field is taken more than orequal to a pre-defined number up to which each signer is allowed togenerate digital signatures.
 72. The method according to claim 45, inwhich a maximum degree of the third variable in the multivariatepolynomial over a finite field is taken more than or equal to apre-defined number up to which each signer is allowed to generatedigital signatures.
 73. The computer readable medium according to claim46, in which a maximum degree of the third variable in the multivariatepolynomial over a finite field is taken more than or equal to apre-defined number up to which each signer is allowed to generatedigital signatures.
 74. The second terminal device according to claim47, in which the number of the second variable in the multivariatepolynomial over a finite field is taken more than or equal to apre-defined number of colluders among verifiers.
 75. The methodaccording to claim 48, in which the number of the second variable in themultivariate polynomial over a finite field is taken more than or equalto a pre-defined number of colluders among verifiers.
 76. The computerreadable recording medium according to claim 49, in which the number ofthe second variable in the multivariate polynomial over a finite fieldis taken more than or equal to a pre-defined number of colluders amongverifiers.
 77. The second terminal device according to claim 47, inwhich a maximum degree of the first variable in the multivariatepolynomial over a finite field is taken more than or equal to n−1, wheren is the number of signers.
 78. The method according to claim 48, inwhich a maximum degree of the first variable in the multivariatepolynomial over a finite field is taken more than or equal to n−1, wheren is the number of signers.
 79. The computer readable recording mediumaccording to claim 49, in which a maximum degree of the first variablein the multivariate polynomial over a finite field is taken more than orequal to n−1, where n is the number of signers.
 80. The second terminaldevice according to claim 47, in which a maximum degree of the thirdvariable in the multivariate polynomial over a finite field is takenmore than or equal to a pre-defined number up to which each signer isallowed to generate digital signatures.
 81. The method according toclaim 48, in which a maximum degree of the third variable in themultivariate polynomial over a finite field is taken more than or equalto a pre-defined number up to which each signer is allowed to generatedigital signatures.
 82. The computer readable recording medium accordingto claim 49, in which a maximum degree of the third variable in themultivariate polynomial over a finite field is taken more than or equalto a pre-defined number up to which each signer is allowed to generatedigital signatures.